[permissions-policy] Privacy by default

Hi

I was wondering why there is no default method. Without a default=() (e.g.. no permissions), our websites have to return a long list of deny permissions. Furthermore, this list needs to be updated whenever new permissions appears. IHO it would make much more sense to have a deny-all setting and open for the features we know our solution supports. In this way, we would also restrict any unauthorized code (injection attacks, supply chain attacks, content editors' HTML).

How come this design was chosen and how can I influence the standard?

Always have fun


[LEGO]

Per Østergaard
Principal Engineer
Digital Security
Mobile
+4540235746
E-mail
Per.Oestergaard@lego.com<mailto:Per.Oestergaard@lego.com>

LEGO System A/S
Åstvej
7190 Billund
Denmark
Company: +45 79506070
www.LEGO.com<http://www.LEGO.com>
LEGO and the LEGO logo are trademarks of the LEGO Group. ©2021
The LEGO Group. This email message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Received on Monday, 6 December 2021 21:18:30 UTC